OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • High availability »
  • Seeking guidance on moving WAN phy on a live ha firewall pair
« previous next »
  • Print
Pages: [1]

Author Topic: Seeking guidance on moving WAN phy on a live ha firewall pair  (Read 959 times)

Wolfspyre

  • Newbie
  • *
  • Posts: 42
  • Karma: 2
    • View Profile
Seeking guidance on moving WAN phy on a live ha firewall pair
« on: May 01, 2024, 08:47:32 pm »
Hai all!

SO!
snazzy new internet upgrade happens... woohoo....
however now my firewall pair's wan interface is no longer fast enough to consume the additional bandwidth.

Fortunately, my firewall pair **DOES** have available and unutilized interfaces which ARE capable (copper 10G)
(I'm using the 10G SFP interfaces on it currently)

so in specific:
  • igb0 **Heartbeat**
  • igb1 **current WAN**
  • igb2 **secondary unconfigured wan ((project for tomorrowland/not in scope here))**
  • igb3 **virtual endpoint vlan**
  • ixl0 *currently unused*
  • ixl1 *currently unused*
  • ixl2 **LAGG0.0**
  • ixl3 **LAGG0.1**
  • lagg0 (many vlan interfaces for internal traffic)

so both firewalls have the above rough topology.

essentially I want to identify the least problematic way to accomplish the goal of

move everything interacting with the physical connection 'igb1' to the physical connection 'ixl0'

on the firewall pair.

I can certainly cease using the standby for a bit
(ie power it off to prevent wobbly bits from making things harder than they need to be while reconfiguring)

but I'm not sure what the best way forward is...

I have a couple ideas, but before grabbing the scissors, blindfold, and running shoes, It felt prudent to reach out here and ask what others' experience has been.

anyone have any guidance or experience they care to share?



Logged

Patrick M. Hausen

  • Hero Member
  • *****
  • Posts: 6797
  • Karma: 571
    • View Profile
Re: Seeking guidance on moving WAN phy on a live ha firewall pair
« Reply #1 on: May 01, 2024, 09:09:01 pm »
Schedule a maintenance window, then while connected from an internal interface go to

Interfaces > Assignments

change the WAN assignment from igb0 to ixl0, save, apply, done. I would reboot to be sure, hence the maintenance window.

That's the reason why there is an additional abstraction layer (Assignments) between IP addresses, rules, ... and physical interfaces. Everything configured for WAN will carry over, you are only changing the physical port.
« Last Edit: May 02, 2024, 05:30:27 pm by Patrick M. Hausen »
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Wolfspyre

  • Newbie
  • *
  • Posts: 42
  • Karma: 2
    • View Profile
Re: Seeking guidance on moving WAN phy on a live ha firewall pair
« Reply #2 on: May 02, 2024, 05:28:13 pm »
I'd **HOPED** it would be this simple; but you know how it goes.... there's almosty always .....
Wibbly bits.


'this mostly works, unless you have HA configured alongside _service-here_ and....'

kinds of things ;)

(For example,  if you set the heartbeat crossover interface to have an MTU > 1500 things can go kinda pear shaped)


appreciate the $.03. hopefully it'll be as straight forward as we want it to be ;)
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • High availability »
  • Seeking guidance on moving WAN phy on a live ha firewall pair
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2